Some Security Risks of Using Push-Based CD
Surprisingly I’m recently not finding a strong majority of voices saying that Push-Based Continuous Delivery should never be used due to security concerns. So I feel there is a need to clarify risks more explicitly.
First of all here is what I mean by Push-Based CD. Simply, this is the approach, where SSH-key or some deployment token (i.e. Kubernetes token) is placed directly into CI tool and used to establish connection from CI tool to deployment server and force some action on that server.
The alternative is clear – use Pull-Based CD approach from within the instance itself. So essentially, CI job builds an artifact and pushes it to some storage. Then from the instance the artifact is pulled by CD job via some routing rules. Read more about modern CI/CD best practices in my other post.
To summarize, not so long ago it was well understood that any production-grade instance must be isolated from the Internet and use jump-boxes or bastions to connect to them. Push-Based CD was clearly not even considered as a viable option in such setup.
